☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Archives

Small Retailer Loses Business-Critical Data after Cyber Attack

Posted on by

Over the past two decades, technology has transformed the way businesses operate, and most depend on their computer systems in one way or another. Even traditional businesses, such as retail stores and wholesale distributors, utilize computer systems and the data held on those systems to ensure the day-to-day running of their operations. If those systems become unavailable or cease to function properly as a result of a cyber attack, it can have a detrimental impact on the business in question and result in substantial financial harm.

One of CFC policyholders affected in such a way was a home improvement store, which operated from a single store. The store sells a wide range of domestic goods, including outdoor furniture and sheds, garden equipment, kitchen utensils, bathroom fixtures and fittings and DIY tools and equipment. Customers can buy in-store or have larger items delivered to their houses upon request. The business has a large warehouse connected to the retail store which is used to store stock that can then be used to replenish stock on the shelves, or in the case of larger items, brought out for customers to collect or have delivered.

Employee falls hook, line, and sinker

The incident began when an employee fell for a phishing email. The email stated that there was a financial statement attached that needed to be verified. Even though the email was not directly addressed to the employee, had numerous grammatical errors and appeared to come from a suspicious email address, curiosity got the better of the employee and he clicked on the attachment. Upon clicking on the attachment, a ransomware variant was downloaded onto the business’s server and began encrypting files and programs across the network, including the insured’s back-ups, which had not been stored externally.

With the server encrypted, the business wasn’t able to access any of the systems that it used every day, including the point-of-sales system and information relating to sales, deliveries and stock management.

Urgently needing to regain access to these systems and databases, the policyholder reported the matter to CFC’s cyber claims and incident response team. With the insured’s back-ups having been encrypted by the ransomware, our claims and incident response team considered the other options available. The first step was to establish which ransomware strain had been used in the attack by looking at the ransom note and a sample of encrypted files. In this case, the ransomware used was a well-known and well-established strain and the team was able to find a freely available decryption key online. Using the decryption key, the team began the process of decrypting the business’s programs and files.

In most cases involving ransomware, once a business’s data and programs have been decrypted and the ransomware has been removed, the business can continue to use its computer systems as normal.

However, things aren’t always as straightforward as this. Unfortunately, cybercriminals don’t have the same approach to product due diligence that law-abiding businesses do, and those who create ransomware won’t have gone to the effort of testing how compatible their ransomware strains are with every conceivable type of file or program. As a result, ransomware can lead to unintentional and sometimes irreparable damage to electronic files and computer programs.

In this case, although the majority of the business’s data was accessible following the decryption process, a database containing six months’ worth of information relating to stock levels and delivery statuses was corrupted. In spite of numerous attempts to reconfigure and restore the database, the files were deemed to be beyond repair, rendering them inaccessible to the business.

Corrupted database causes long delays

Without access to the database, the business faced numerous difficulties. Staff on the shop floor were unable to check the most up-to-date database to see if a particular item was in stock. So in the event that a customer asked if an item was available, the only option was for a member of staff to contact a member of the warehouse team and ask them to trawl through the warehouse to see if the item was there, leading to significant delays to the service. The lack of information on stock levels also meant that the business didn’t have an accurate overview of which items were low in stock and needed to be re-ordered from suppliers, resulting in a shortage of popular items. In addition, without access to delivery information, the business lost track of the delivery status of certain items, which resulted in items either not being delivered to the customer on time or in some cases being delivered twice.

The only way to tackle this issue was to manually re-create the current stock inventory. In order to do this, employees had to go through each item in stock, both in the warehouse and on the shop floor, create an identification number for each item and then scan it back onto the database. The business also needed to gain a better understanding of the delivery status of all items. To avoid delays and duplication, staff were required to go through all open sales and see how these corresponded with hard copies of delivery receipts to establish which items had been delivered and which items were still awaiting delivery.

Given the size of the store and the amount of stock and sales data this involved, this was a significant undertaking and staff were required to work overtime, but this alone wasn’t sufficient. The business also had to bring in contractors to assist with the task. In total, it took two weeks for the business to fully rebuild this database. This came at a cost of $20,858 made up of employee overtime and contract staff costs.

Although the store remained open during the entirety of the recovery period, disruptions to the service did result in a reduction in sales. For the month in question, the business had forecasted sales of $460,031, but the actual sales for the month only came to $353,611, a shortfall of $106,420. Applying a rate of gross profit of 20% to the shortfall, the insured’s business interruption loss was calculated at $21,284.

The role of human error and other lessons

This claim highlights a few key points. Firstly, it illustrates how human error plays a key role in many cyber incidents. Lots of businesses refuse to buy cyber policies on the basis that they have good IT security in place. But this reasoning doesn’t take into account the fact that the majority of cyber incidents are the result of human error. In this case, the incident was triggered by an employee clicking on a malicious attachment. Businesses should look to ensure that employees are educated about the risks posed by phishing emails and are made aware of how to spot them.

Secondly, it highlights how dealing with a ransomware incident is not always a straightforward matter of carrying out the decryption process and the business in question automatically regaining access to their systems and data. In reality, there can be all sorts of unforeseen complications. In this instance, even though the data and applications were decrypted using a freely available decryption key, the ransomware itself had corrupted one of the business’s key databases, which had a detrimental impact on the insured’s operations.

Thirdly, it demonstrates the importance of having data re-creation cover on a cyber policy. Many cyber policies only provide cover for the costs to recover or restore from back-ups, but not the costs to re-create or re-enter lost data from scratch. A sizable portion of the insured’s claim came about from the labour costs associated with staff and contract workers having to manually scan and re-enter data to ensure that the stock inventory was correct and up-to-date, and brokers should be sure to check that their clients have this important cover in place on their policies.

Finally, it reveals how almost all modern business have some form of cyber exposure. Even though the business in question was a household goods store that did not solely rely on its systems for the business to operate, the business still relied on its computer systems and data to manage the store effectively and to provide efficient customer service. When some of the business’s data was corrupted, it had a negative impact on overall operations and having a cyber policy in place provided a valuable safety net for the company.

Source: www.cfcunderwriting.com

Third-party Downtime Leads to First-party Business Interruption Loss

Posted on by

An HR service provider lost contracts due to a cyber attack suffered by one of its supply chain partners.

Over the past two decades, technology has transformed the way businesses operate, and most now depend on their computer systems in one way or another. Rather than having to deal with everything in-house, many businesses choose to outsource elements of their IT infrastructure to third party providers, whether that be in the form of website hosting, data storage or application level services.

In many cases, outsourcing IT can prove to be a more efficient and cost-effective way of doing things, with businesses benefiting from the expertise of their third-party providers. However, outsourcing is not without risks. In a cyber insurance context, dependent business interruption describes a situation in which a third-party organization that supplies a policyholder with goods or services is affected by unexpected downtime as a result of a cyber event or system failure. Even though the policyholder’s computer systems may not be directly affected by the incident, the loss of the goods or services provided by the third-party can still have a major impact on the insured business’s ability to operate effectively. This means that a business can still suffer a business interruption loss even when its computer systems are unaffected.

One of our policyholders affected by this type of loss was a small company providing outsourced human resources services to a variety of different businesses. The organization provides a range of services to its customers, including payroll processing, employee benefits and health insurance and assistance with compliance and regulatory issues.

Third-party downtime, first-party problems

The business provides its payroll processing services through an online application, which in turn is owned and hosted by a third-party provider. Their customers gain access to the payroll application through a link on their website, which then takes them through to a landing page hosted by the third-party where they can then log in to the application. Once these customers log in to the application, they are effectively operating on the third party’s computer systems, even though their contracts are with our policyholder.

The issue began when the third party responsible for providing the payroll processing application was hit by a ransomware attack. This ransomware attack managed to encrypt the servers hosting the application, which meant that neither our policyholder nor its customers could gain access to the application. As the application was hosted by this third-party, however, our policyholder was powerless to control the situation and had to rely on the application provider to respond to the incident. The only thing they could do was to explain to its customers that the application was unavailable due to a cyber attack affecting the application provider and that regular status updates would be provided.

In the meantime, the third-party provider went about trying to deal with the issue by decrypting the affected servers, removing the ransomware and returning the application to its normal functionality. After three days of downtime, it looked as though the issue had been resolved and the insured and its customers were able to login to the application once again. However, this breakthrough proved to be short-lived. During the encryption process, the ransomware had damaged the application and impaired its underlying functionality. This meant that while customers were able to log into the application and view employee data, they were unable to update the data or process any payments.

To remedy the problems caused by the ransomware, the application was taken down once more and it was only after a further five days of downtime that the application was fully restored. To make matters worse, the downtime occurred at the end of the calendar month, a time during which most of our policyholder’s customers would ordinarily pay their employees.

Frustrated customers lead to lost contracts

With the payroll processing application rendered inaccessible as a result of the ransomware attack, some of their customers were unable to pay their employees on time. Although they were able to pay their employees once the application was up and running again, the delay in payment was a source of great frustration for both the businesses and employees affected. As the customers that were impacted only had contracts with the insured rather than the application provider, it was the insured that bore the brunt of this anger.

Indeed, eight customers chose to cancel their contracts and take their business elsewhere. All of these customers sent individual letters or emails to our policyholder, explaining their reasons for cancelling. In each case, these cancellations came down to a combination of two factors: firstly, the delay in paying employees as a result of the ransomware attack and, secondly, a concern that the ransomware attack meant that sensitive data stored on the payroll application might not be secure. This served as confirmation that these customers were lost as a result of the cyber attack as opposed to regular customer churn.

The total value of these annual contracts came to $72,554 and despite the insured’s attempts to placate these clients and win them back, unfortunately none of these customers decided to reinstate their contracts, meaning that over the course of the 12-month indemnity period, the insured suffered a business interruption loss of $72,554.

While these losses are potentially recoverable from the application provider, this can be a costly and lengthy process and in the meantime the insured would suffer from cashflow issues due to the drop-off in income. Fortunately, however, the income loss from these cancelled contracts was covered under the dependent business interruption section of the company’s cyber policy with CFC, which covers business interruption losses arising as a result of a cyber event or system failure at a policyholder’s supply chain partner.

Dependent BI and other takeaways

This claim highlights a few key points. Firstly, it underscores the importance of having dependent business interruption cover in a cyber insurance policy. Some cyber insurers will only provide cover for business interruption losses as a result of cyber events that directly affect an insured’s computer systems. However, in this instance, at no point was the insured’s computer systems directly impacted by the ransomware – it was the application provider’s computer systems that were affected – and yet it still resulted in a sizable business interruption loss. By having dependent business interruption cover in place, the business was able to fully recover its financial loss.

Secondly, it illustrates the value of longer indemnity periods. Many cyber insurers only offer 3-6-month indemnity periods as standard. However, this ignores the fact that the financial impact of a cyber event can be felt for much longer than a 3-6-month indemnity period would allow for. In this case, the cancellation of annual contracts meant that for each cancelled contract, the insured lost 12 months’ worth of income. By having a 12-month indemnity period in place, they were able to reclaim quadruple the amount that they would have been able to claim on a policy with a 3-month indemnity period and double the amount they would have been able to claim under a policy with a 6- month indemnity period.

Finally, it highlights that businesses that receive their income on a contractual basis could be more exposed to business interruption losses, as the cancellation of monthly or annual contracts could very quickly result in sizable financial losses being incurred. Accordingly, businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their cyber policy.

Source: www.cfcunderwriting.com

 

Cyber Criminals Scam Construction Firm Out of Cash

Posted on by

Compared to many other industries, construction companies have been slower to take up cyber insurance. Because they typically don’t hold large amounts of sensitive data and aren’t solely reliant on their computer systems to carry out their business operations, construction companies don’t often believe that they are overly exposed to cyber risk.

Nevertheless, even if a business doesn’t hold vast quantities of data or isn’t wholly dependent on their systems to function, it is still likely that the business in question has some form of cyber exposure. Most modern businesses will hold some data on employees and third parties, use email to communicate with customers and suppliers, and use business bank accounts to receive and disburse funds electronically.

The construction sector is no different, and one area where they are particularly exposed is funds transfer fraud. Most construction companies will regularly work with suppliers and subcontractors to carry out their projects, and these partners will usually invoice the construction firm for the goods and services provided. If the company pays these invoices electronically, then they can fall prey to cybercriminals who are constantly looking for opportunities to intercept these payments and divert them to fraudulent accounts.

One of our policyholders affected by such a loss was a small construction firm with revenues below $50 million. The business specializes in commercial construction projects, ranging from office buildings to warehouse units and regularly makes use of specialist subcontractors to assist with projects.

Digging for login credentials

The scam all began when an employee fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft which stated that in order to implement some urgent new security features on his Office 365 account, he would have to verify his account details by clicking on an attached link. Not wanting to miss out on these new features, the employee clicked on the link and inputted his email login details. However, despite the email appearing to come from a legitimate source, the employee had unwittingly handed his credentials to a fraudster.

To make matters worse, the construction firm had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s email account remotely.  This allowed the fraudster to monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

The employee whose email account had been compromised was one of the firm’s project managers. As part of his role, he regularly liaised with subcontractors and they would often send invoices over to him, which he would then pass to the finance department for payment. As it happened, a few weeks after the fraudster had gained access to the inbox, an email was sent over to the project manager from the managing director of a firm that had been subcontracted by the construction company to carry out some structural steel fabrication work on a project. The email had an invoice attached for a month’s worth of work done on the project, amounting to $93,425. Having spotted an opportunity, the fraudster chose this moment to strike.

Fraudster hammers out a plan

The first step was to set up a forwarding rule in the project manager’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the steel fabrication firm’s genuine domain name were immediately marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the managing director of the steel fabrication firm. In order to do so, the fraudster created an email address which, to the untrained eye, was exactly the same as the managing director’s, but crucially omitted one character from the domain name. So rather than reading Joe.Bloggs@ABCfabricators.com, it read Joe.Bloggs@ABCfabicators.com.

The final step was to send an email to the project manager. In the email, the fraudster explained that the firm had recently changed banks and that the previous invoice had mistakenly included the old account details. The email went on to say that the new bank account details could be found on the new invoice attached to the email and that the construction firm should update its records so that all current and future payments went to the correct account.

The fraudster had used exactly the same invoice template as before, including the same company address, logo and statement of work, with the only amendment being the bank account details. In order to give the email an added sense of authenticity, the fraudster took the original email that had been sent by the subcontractor to the project manager and forwarded it on to the fake email account. The fraudster then replied to this original email when sending the fraudulent email to the project manager, making it appear as though it was part of the original email chain.

Missed verification opportunity

With the email forming a part of the original email chain and coming from a seemingly identical email address, along with the exactly the same invoice template, the project manager never doubted the legitimacy of the request. Assuming that the change of account was valid, the project manager sent the amended invoice over to the finance department for processing.

In theory, it was at this point that the scam should have been thwarted. The construction firm had previously sent out an email to staff regarding the verification of account changes, stating that all requests for account changes should be followed up with a call to an individual at the company requesting the changes to confirm that everything is in order. If this verification procedure had been carried out, it’s unlikely that the fake invoice would have been paid. Unfortunately, the member of the finance department dealing with the request failed to carry out this procedure and updated the bank details, resulting in the full $93,425 being transferred to the fraudulent account.

It was only when the managing director of the steel fabrication firm called up the project manager, several weeks later, to inquire about the status of the payment that the scam was uncovered. Both the banks involved and local law enforcement agencies were informed about the loss, but by this point it was too late and the funds had already been transferred out of the fraudulent account. With the funds deemed unrecoverable and the steel fabrication firm still expecting payment, the construction firm had little choice but to pay the invoice for a second time, resulting in a significant loss to the business. Thankfully, however, the construction firm was able to recoup the funds under the cybercrime section of its cyber policy with CFC.

Smarter criminals and other key takeaways

This case highlights a few key points. Firstly, it shows just how skillful cybercriminals are becoming at parting businesses from their money and how difficult it is for businesses to spot a fake.

In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the project manager into volunteering his email login details; set up a forwarding rule to prevent any emails from the real subcontractor reaching the project manager and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the genuine subcontractor’s; make it look as though the fake email sent to the project manager was part of the original email chain; and send over an identical invoice template to the one used by the genuine sub-contractor.

Secondly, it illustrates how human error plays a major role in cyber losses. Many organizations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any business to eliminate this risk entirely. The fraudster was able to compromise the email account because the project manager fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee in the finance department failed to carry out a verification procedure.

Finally, it highlights how almost all modern businesses have some form of cyber exposure. Even though the policyholder in this case was a construction firm that didn’t solely rely on its computer systems to carry out its business operations, the company still used emails to communicate with subcontractors and made payments electronically. All it took was for just one email account to be breached for the business to be defrauded out of $93,425. But by having a cyber insurance policy in place, the company was able to successfully recover the loss, illustrating the value that cyber insurance can bring to any modern business.

Source: www.cfcunderwriting.com

Cyber Risk Heat Map

Posted on by

When speaking to clients about cyber insurance, it’s important to focus on areas that are relevant to the industry in which they operate.

Cyber insurance has a long reputation as a privacy liability product for businesses that hold sensitive data – but privacy exposure isn’t the only risk facing businesses today. In fact, cybercriminals are increasingly targeting traditional industries that hold almost no sensitive data at all, whether through ransomware attacks that halt operations or business email compromise scams that result in wiring payments to fraudulent accounts.

CFC’s cyber risk heat map was built from data relating to 2,500 cyber claims they have dealt with in the last two years as well as trends that their incident response team is witnessing externally. This color-coded graph ranks the severity of different industries’ exposure to business interruption, privacy, and cybercrime and includes a few examples of how these exposures can play out for different types of organizations.

Click here to download the infographic

Source: www.cfc.com

Traditional versus Project Insurance

Posted on by

Large construction projects create a mosaic of risks for all project participants—owner, architects, engineers, manufacturers, vendors, and contractors. In the standard form agreements for construction, the owner attempts to shift the risk to the construction manager/general contractor (CM/GC) via various provisions, including indemnification, consequential damages, cost, and schedule, just to name a few.

Despite this attempt to transfer the risks of the project contractually to third parties, the owner still may be liable for certain risks: extra hazardous operations, claims arising in common areas, owner-provided equipment, owner-retained contractors, or owner-provided design, assuming safety responsibilities or other liabilities or obligations in the construction agreement and vicarious liability arising out of the operations of the contractors.

Certain risks on the project are insurable, and the construction agreement requires the CM/GC and their subcontractors to provide certain insurance coverages and a certificate of insurance evidencing that the stated coverages are in force. This approach of having the CM/GC and all subcontractors provide the required insurance is often referred to as the “traditional insurance” approach and is used in many construction projects.

However, larger construction projects, generally over $50 million on commercial projects and $10 million-plus on “for sale” residential projects, lend themselves to be considered for insurance coverage on a project-specific basis, otherwise known as “wrap-up” insurance. Insurable risks that are commonly considered for project-specific coverages include the following.1

  • Commercial general liability and umbrella or excess liability
  • Workers compensation
  • Contractor’s pollution liability
  • Professional liability

The following advantages of project-specific coverage over traditional insurance are well documented.

  • Sponsor retains first-named insured status and more direct control over claims process
  • Completed operations extension or “tail” coverage (GL/XS/CPL/PL)
  • Higher catastrophic insurance limits
  • Broad coverage terms
  • Increases the size of the pool of bidders
  • Increased scrutiny on safety
  • Reduced internal time and expense devoted to insurance compliance
  • Potential for cost savings of the insurance line item by bundling the insurance spend of all the parties

Routinely, an owner is faced with two options to access the advantages of project-specific insurance coverages: the owner can purchase, or “sponsor” the coverage, known as an owner controlled insurance program (OCIP); alternatively, the CM/GC can purchase the coverage, known as a contractor controlled insurance program (CCIP). For purposes of this article, we will be limiting the discussion to OCIP versus CCIP insuring workers compensation and/or general liability/excess liability coverages.

OCIP versus CCIP—an Owner’s Perspective

Many midsized and large contractors have established CCIP programs, and it is common for them to propose utilizing their CCIP coverage for large projects.2 This is a good thing; it provides the owner with the options of relying on traditional insurance, purchasing an OCIP, or paying the CM/GC to provide the project-specific insurance coverage via a CCIP.

Once the owner’s chief financial officer or risk manager becomes aware of the capital project, it is quite common for them to engage their insurance broker or a consultant to prepare a financial pro forma to determine the extent of potential cost savings by sponsoring an OCIP. Routinely, the pro formas generate significant savings to the owner by assuming a large deductible or self-insured retention and controlling the claims expense; however, the owner should be cautious, relying on the projected savings as there are many variables and assumptions that go into the pro forma. This is particularly relevant if the owner is comparing the costs and savings in the OCIP pro forma to the cost of a CCIP.

Ideally, both parties (the owner’s broker or consultant and the CM/GC) will provide OCIP/CCIP cost estimates based on the same set of data, which can either be provided by the owner’s broker or consultant or the CM/GC.

  • Project description
  • Desired lines of coverage and limits
  • Project term (estimated start/end dates)
  • Project budget
  • Workers compensation payroll by workers compensation code

By having both the owner and the CM/GC provide pricing based on the same data set, it will enable the owner to evaluate the costs of both OCIP and CCIP on a consistent basis.

Advantages of a CCIP versus OCIP—an Owner’s Perspective

Bifurcation of construction risks. To me, this is the leading reason to consider project-specific insurance. Because an OCIP or CCIP insures all contractors and the owner under a single policy, it allows the owner to insulate its corporate insurance program from losses arising out of construction operations, which can prevent adverse loss experience arising out of the construction project from driving up insurance rates on its core business. The CCIP accomplishes this bifurcation of construction risk.

Expertise. Owners with large capital expenditure (CapEx) programs may have sponsored OCIPs in the past or may have a “rolling” OCIP program for their CapEx program. However, there are many other owners that build a large project every several years and have limited experience with OCIPs. Internally, they may not have the expertise to evaluate, implement, and manage an OCIP; whereas, the contractor deals with construction risk every day and likely has robust risk management programs and personnel experienced in implementing and administering their CCIP. A common contractor sentiment is “if I have the risk, I should be able to purchase my own insurance to protect my risk.”

Resources. Owners have indicated to me on numerous occasions that, while they are attracted to the potential cost savings of an OCIP, their staff is lean and they lack the capacity to administer an OCIP. While the insurance broker or OCIP administrator provides many of the transactional services of marketing the insurance coverages, providing program documents, enrolling subcontractors, and collecting certificates of insurance and monthly payroll reports, the owner retains certain responsibilities as the sponsor of an OCIP, often within the owner’s risk management department.

  • Selection of broker and/or OCIP administrator
  • Gather and provide underwriting information required to obtain the quotes
  • Review and approve OCIP documents prepared by the broker and/or administrator: underwriting submission, quotes, OCIP contractual addendum, and OCIP manual
  • Select insurer, coverages, and limits of coverage
  • Execute any legal agreements with insurer and post collateral, typically a letter of credit (LOC), if applicable
  • Review periodic OCIP reports
  • Review claims loss runs and participate in claims meetings
  • Make claims settlement decisions

If the contractor has experience sponsoring CCIPs, especially if they have a “rolling” CCIP insuring multiple projects, they have established protocols and experienced risk management and field personnel to manage all aspects of the program.

Collateral requirements. As mentioned above, if the OCIP is written with a large deductible program ($250,000–$500,000 each occurrence is common), the insurer will require the sponsor to post a clean, irrevocable LOC to securitize that claims obligation. If the sponsor does not reimburse the insurer for paid claims, the insurer can present the LOC to the owner’s bank and draw down on the LOC. While LOCs have a cost element (typically .75–1 percent annual rate on the amount of the LOC), the important item to note is that the LOC obligation will likely remain in force by the insurer, generally through the statute of repose, which can be 5–12 years after substantial completion, depending on the state. In the case of a CCIP, the CM/GC holds this obligation.

Upfront insurance premiums. As a sponsor of an OCIP, you will be responsible for paying certain costs upon binding coverage. Typically, the primary insurance coverage will have a deposit premium (25–40 percent), with the remaining balance spread throughout the project. Excess/umbrella insurance coverages are typically paid 100 percent upon binding, and the broker/administrator typically requires an initial installment as well. The CM/GC will also require a payment for the CCIP coverage, sometimes 100 percent upon binding coverage, or it may be spread out as the work is billed.

Known insurance costs. For the lines of insurance provided by the CCIP, the cost of the CCIP is known at the beginning of the project. CMs/GCs typically charge for the CCIP on a percent of construction costs (e.g., 2.5 percent of contract value).3 In addition, if the payroll estimates in the pro forma were lower than the final audited payroll, the owner may be subject to additional premium4—the CM/GC bears this risk under a CCIP.

Drawbacks of a CCIP versus OCIP—an Owner’s Perspective

Loss of first-named insured status. As a sponsor of an OCIP, the owner attains first-named insured status on the general liability/excess or umbrella liability policies. In contrast, some CCIP sponsors and some insurers limit the owner to additional insured status. Their biggest concern is that they do not want the CCIP to inadvertently insure the operations of the owner (e.g., manufacturing or hospital operations) under the OCIP. Suffice it to say, in the event the owner is listed as an additional insured, it must be satisfied that the language in the additional insured endorsement provides it with an adequate mechanism to attain protection under the CCIP.

Speaking of “insureds,” It is also important for an owner to confirm that there is no “insured versus insured” or “cross-liability” exclusion on the CCIP. This provision, which prevents one insured from suing another insured, is common on wrap-up programs, particularly those placed in the excess and surplus lines market, and may prevent the owner from suing the CM/GC. Some of the endorsements restrict “named insureds” from suing other “named insureds” and other versions restrict suits between any insured under the policy. In either case, if requested, the underwriters will typically carve out an exception to the exclusion by allowing cross-suits between the owner and CM/GC.

Indirect involvement in claims. OCIPs can be an effective tool for owners to address liability claims that arise from members of the public. Because the programs often have large deductibles, the owner has input in the claims settlement process, particularly when the value of the claim falls within the deductible. Municipalities, healthcare facilities, universities, and others with a sensitivity to public liability exposure prefer more direct involvement in the claims process. In contrast, when the project is insured under a CCIP, the CM/GC is the party directing the claims and has the financial incentive to minimize claims payments.

Project with multiple CM/GCs. If the project utilizes a multiprime delivery model or involves multiple CM/GCs, an OCIP lends itself better to drive consistent insurance coverage, administrative protocols, and claims management across the entire project.

CCIP may cost more than an OCIP or traditional coverage. The cost of the CCIP, established between the owner and CM/GC, may cost more than an OCIP or traditional insurance. In most cases, the OCIP cost is not known until the end of the project because the two greatest variables in the savings formula are the amount of insurance credits or deductions from the GC/CM and subcontractor bids along with favorable claims experience. Of course, if either of these elements is deficient, the OCIP can cost more than a CCIP or traditional insurance.

Additionally, the cost of the CCIP may include an array of services such as an on-site medical trailer, claims management services, CCIP administration, and internal administrative time, which may not be fully accounted for in an OCIP pro forma.

Loss of statutory immunity. In certain states, there is established case law that a sponsor of an OCIP (i.e., the owner) enjoys statutory immunity protection from civil claims from employees of contractors insured under the OCIP. This owner benefit is negated under a CCIP.

Loss of completed operations coverage. One of the greatest coverage benefits of an OCIP or CCIP is the dedicated single limit and the extension of time the general liability and excess/umbrella policies will insure bodily injury and property damage included in the products-completed operations (PCO) hazard, typically out through the statute of repose. This is accomplished via a completed operations extension endorsement, or it may be included in a wrap-up endorsement on the policy.

Each insurer has specific language in their policies that address when the coverage is effective and under what conditions the coverage is void. Common terms that void the PCO coverage extension include (varies by insurer) the following.

  • The policy is canceled or nonrenewed for any reason prior to the policy expiration date.
  • There is a failure to pay premiums, audits, or deductible losses when due.
  • The work is not complete or abandoned prior to the policy expiration date.
  • There is a material misrepresentation by the sponsor.
  • There is a failure to comply with loss control recommendations or peer reviews.
  • There is a failure to provide requested enrollment documentation.

These same exclusions are also commonly found in OCIP policies. However, in an OCIP, the owner has control over these variables. In the case of a CCIP, the owner has limited control and may be surprised if the PCO is canceled. If the PCO coverage is canceled, either due to one of the conditions stated on the policy or the CM/GC is replaced with another CM/GC, it will be very difficult to find an insurer to assume the PCO liability during the middle or the end of a construction project.

It is suggested that the reasons for cancelling the PCO extension be minimized and that the owner requires the CM/GC to warrant that the CCIP coverage remains in force both during construction and during the PCO extension period. The owner will also be well served by requiring the CCIP policies are endorsed to provide 30- or 60-days’ notice to the owner for nonpayment or cancellation.

Conclusion

Owners should weigh all available options available to them to ensure the risks arising out of construction projects are adequately protected. Project-specific insurance coverage, OCIP or CCIP, offers many coverage benefits over the traditional approach of having the CM/GC and subcontractors providing their respective insurance protection. Either OCIP or CCIP allows the owner to bifurcate its construction risk away from its core insurance program loss experience.

A CCIP affords the owner the opportunity to capture many of the protections of project-specific coverage without the internal time, expertise, expense, and resources required to administer an OCIP. That said, owners should also be aware of the drawbacks to the CCIP approach and address insurance coverage concerns during the decision process.

1Builders risk insurance is also commonly written on a project-specific basis.

2The owner will sometimes request the CM/GC provide pricing for a CCIP as part of their proposal to construct the project.

3The cost of the CCIP varies by contractor,  on the services provided, premiums, the state in which the project is located, limits, and project type.

4The OCIP insurer may offer a guarantee not to charge additional premium if the audited payroll is no greater than 10 percent of the payroll used to calculate the deposit premium.

Source: www.irmi.com

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN